Description
Object serialization allows transferring complex data structures over channels like HTTP. However, the presence of a serialized object within the application indicates potential vulnerabilities related to object deserialization. Deserialization of objects from untrusted sources can lead to various security risks, including remote code execution and data tampering.
Recommendation
To address the risk associated with serialized objects:
- Evaluate the necessity of deserializing objects from untrusted sources and minimize such dependencies wherever possible.
- Implement strict validation mechanisms to ensure that only trusted and properly formatted serialized objects are accepted.
- Consider using safer alternatives to object serialization, such as JSON or XML, which offer better security controls.
- Employ runtime protections and monitor for any anomalous deserialization activities that could indicate exploitation attempts.
References
Related Issues
- Apache Tomcat Manager Login Found - Vulnerability
- Insecure Deserialization Remote Code Execution - Vulnerability
- Insecure Deserialization - Vulnerability
- Old/Backup Resource Found - Vulnerability
- Tags:
- Deserialization
Anything's wrong? Let us know Last updated on May 13, 2024